Need to get session token from okta widget

I am using django-okta-auth on the backend and the okta JS widget on the frontend.

The whole flow is working fine, users are being authenticated and such.

What I want to know is how do I get the sessionID or a session cookie that I can use to close or delete the session?

I want to do this since we have custom logic on the backend side whether the user would be able to authenticate into the application (regardless of okta authentication success).

The problem is that if an okta user was successfully authenticated through the flow, and was not allowed into the django application (user not found, user is inactive, etc2x), Okta still sees it as a successful login, and the session persists. This means the next time a user tries to login (Social/SSO), the session just auto authenticates them.

What I want to do is invalidate the session when the user was rejected from authenticating into django for the reasons like above. How do I get the sessionID or session cookie in this case?

Thanks.

Is your application only protected by the presence of an Okta session then?

I would definitely recommend looking into using OIDC or SAML instead which will 1) ensure the requesting user is assigned to the application within Okta before granting them access and 2) will let you control the application session separately from the Okta session.

For Django, you should have a number of open source libraries that support OIDC/OAuth available to you, though Okta does not have one of our own to recommend.

This topic was automatically closed after 30 days. New replies are no longer allowed.